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PROCESS FOR MATCHING A NUMBER N OF RECEPTION TERMINALS 
WITH A NUMBER M OF CONDITIONAL ACCESS CONTROL CARDS 

DISCLOSURE 

Technical field 

The invention is in the field of security of 
broadcast digital data and reception equipment that 
will receive these data in a data and/or services 
5 distribution network and is more specifically related 
to a method for matching a number N of data reception 
equipment with a number M of external security modules, 
each reception equipment being provided with a unique 
identifier, and each external security module having a 
10 unique identifier. 

The invention also relates to reception equipment 
that can be matched with a plurality of external 
security modules to manage access to digital data 
distributed by an operator. 

15 
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State of the prior art 

More and more operators are offering data and on- 
line services accessible from terminals provided with 
security processors. In general, distributed data and 
5 services are scrambled when being sent by using secret 
keys, and are descrambled on reception using the same 
secret keys previously provided to the subscriber. 

Apart from classical access control techniques 
based on scrambling when sending and descrambling on 

10 reception of the distributed data, operators propose 
techniques based on matching of the reception terminal 
with a security processor to prevent the distributed 
data and services from being accessible to users who 
are using a stolen terminal or a pirated card. 

15 Document WO 99 57901 describes a matching 

mechanism between a receiver and a security module 
based firstly on encryption and decryption of 
information exchanged between the receiver and the 
security module by a unique key stored in the receiver 

20 or in the security module, and secondly on the presence 
of a receiver number in the security module. 

One disadvantage of this technique is due to the 
fact that the association between a receiver and the 
security module matched to it is set up in advance, and 

25 the operator cannot efficiently manage his collection 
of reception equipment to prevent this equipment being 
used improperly for fraudulent purposes. 

One purpose of the matching method according to 
the invention is to enable each operator to limit use 

30 of his collection of reception equipment by dynamically 
controlling configuration of the reception equipment 
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and external security modules that will cooperate with 
this equipment. 

Presentation . of the invention 
5 The invention recommends a method for matching a 

number N of data reception equipment with a number M of 
external security modules, each reception equipment 
being provided with a unique identifier, and each 
external security module having a unique identifier, 
10 this method comprising a configuration phase and a 
check phase. 

According to the invention, the configuration 
phase comprises the following steps: 

- memorising a list of identifiers of reception 
15 equipment in each external security module, 

- memorising a list of identifiers of external 
security module in each reception equipment, 

and the check phase consists of authorising access 
to data if the identifier of an external security 

20 module connected to a reception equipment is present in 
the list memorised in this reception equipment, and if 
the identifier of said reception equipment is present 
in the list memorised in said external security module, 
otherwise disturb access to said data. 

25 Preferably, the configuration is used only when 

the user connects an external security module to a 
reception equipment . 

In one preferred embodiment, the method according 
to the invention comprises a step in which the operator 

30 transmits a signal to the reception equipment to manage 
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the check phase comprising at least one of the 
following set values: 

- activating the check phase at a programmed date 
or after a programmed delay, 
5 - deactivating the check phase at a programmed 

date or after a programmed delay, 

specifying an absolute date (or a delay) 
starting from which (or after which) the check phase is 
activated or deactivated, 
10 - cancelling said programmed date (or said 

programmed delay) . 

In a first variant, the operator also transmits a 
signal to the reception equipment containing a message 
to delete the list of identifiers memorised in the 
15 reception equipment. 

Said signal message is transmitted to said 
reception equipment through an EMM (Entitlement 
Management Message) specific to this reception 
equipment . 

20 This signal may be transmitted to a group of 

reception equipment through an EMM message specific to 
said group of reception equipment. 

In a second variant, the operator also transmits a 
signal to the external security module containing a 

25 message to delete the list of identifiers memorised in 
this external security module. Said signal message is 
transmitted to said external security module through a 
specific EMM message, and can be transmitted to a group 
of external security modules through an EMM message 

30 specific to said group of external security modules. 
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According to another characteristic of the method 
according to the invention, the operator transmits 
firstly the list of M identifiers of external security 
modules to a reception equipment through an EMM message 
5 specific to said reception equipment, and secondly the 
list of N identifiers of reception equipment to an 
external security module through an EMM message 
specific to said external security module. 

According to another variant, the operator 

10 transmits firstly the list of M identifiers of external 
security module to a group of reception equipment 
through an EMM message specific to the group of 
reception equipment, and secondly the list of N 
identifiers of reception equipment to a group of 

15 external security modules through an EMM message 
specific to said group of external security modules. 

In another variant embodiment, the operator 
transmits a signal message for the check phase to a 
group of reception equipment in a private flow that is 

20 processed by a dedicated software executable in each 
reception equipment as a function of the identifier of 
said reception equipment. 

Alternately, the list of identifiers of external 
security module is transmitted in a private flow to a 

25 group of reception equipment and is processed by a 
dedicated software executable in each reception 
equipment as a function of the identifier of said 
reception equipment, and the list of identifiers of 
reception equipment is transmitted to a group of 

30 external security modules in a private flow that is 
processed by a dedicated software executable in each of 



SP 24283 HM 



said external security modules or in the reception 
equipment to which one of said external security- 
modules is connected, as a function of the identifier 
of said external security module. 
5 In one example application of the method according 

to the invention, the digital data represent 
audiovisual programs distributed in plain text or in 
scrambled form. 

According to another characteristic, the list of 
10 identifiers of the M security modules memorised in a 
reception equipment is encrypted, and the list of 
identifiers of the N reception equipment memorised in 
an external security module is encrypted. 

Advantageously, the method according to the 
15 invention also includes a mechanism designed to prevent 
use of an EMM transmitted to the same external security 
module or to the same reception equipment. 

EMM messages specific to a security module or a 
reception equipment are in the following ' format : 

20 

EMM-U_section() { 

table_id = 0x88 

section_syntax_indicator = 0 

DVB_re served 
25 ISO_reserved 

EMM-U_section_length 

unique_address_f ield 

for (i=0; i<N; i++) { 

EMM_data_byte 
30 } 

} 



8 bits 
1 bit 

1 bit 

2 bits 
12 bits 
40 bits 

8 bits 
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EMM messages specific to all external security 

modules or to all reception equipment are in the 
following format: 
5 EMM-G_section ( ) { 

table_id = 0x8A ou 0x8B 8 bits 

section_syntax_indicator =0 1 bit 

DVB_reserved 1 bit 

ISO_reserved 2 bits 

10 EMM-G_section_length 12 bits 
for (i=0; i<N; i++) { 

EMM_data_byte 8 bits 
} 

} 

15 EMMs specific to a sub-group of external security 

modules or a sub-group of reception equipment are in 
the following format: 

EMM-S_section ( ) { 

20 table_id = 0x8E 8 bits 

section_syntax_indicator =0 1 bit 

DVB_reserved 1 bit 

ISO_reserved 2 bits 

EMM-S_section_length 12 bits 

25 shared_address_f ield 24 bits 

reserved 6 bits 

data_format 1 bit 

ADF_scrambling_f lag 1 bit 
for (i=0; i<N; i++) { 

30 EMM_data_byte 8 bits 

} 
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} 

The method according to the invention is used in 
an access control system containing a plurality of 
reception equipment each with a unique identifier and 
5 capable of cooperating with a plurality of external 
security modules each with a unique identifier, each 
external security module containing information about a 
subscriber's access rights to digital data distributed 
by an operator, this system also including a commercial 
10 management platform communicating with said reception 
equipment and with said external security modules. This 
system also includes: 

a first module arranged in said commercial 
management platform and designed to generate matching 
15 queries, 

- and a second module arranged in said reception 
equipment and external security modules and designed to 
process said queries to prepare a matching 
configuration . 

20 The method according to the invention can be used 

in an architecture in which the reception equipment 
includes a decoder and the external security module 
comprises an access control card in which information 
about a subscriber' s access rights to digital data 

25 distributed by an operator are memorised. In this case, 
matching is done between said decoder and said card. 

Alternately, the method according to the invention 
can be used in an architecture in which the reception 
equipment includes a decoder and the external security 

30 module includes a removable security interface provided 
with a non-volatile memory and designed to cooperate 
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firstly with the decoder, and secondly with a plurality 
of conditional access control cards to manage access to 
digital data distributed by an operator. In this case, 
matching is done between said decoder and said 
5 removable security interface. 

The method according to the invention can also be 
used in an architecture in which the reception 
equipment includes a decoder provided with a removable 
security interface with a non-volatile memory designed 

10 to cooperate firstly with said decoder and secondly 
with a plurality of conditional access control cards. 
In this case, matching is done between said removable 
security interface and said access control cards. 

The invention also relates to reception equipment 

15 that can be matched with a plurality of external 
security modules to manage access to digital data 
distributed by an operator. This reception equipment 
includes : 

a non-volatile memory designed to memorise a 
20 list of external security modules. 

means of verifying if the identifier of an 
external security module connected to said equipment is 
present in the list memorised in said non-volatile 
memory . 

25 In a first embodiment, this reception equipment 

includes a decoder and the external security module is 
an access control card containing information about the 
access rights of a subscriber to said digital data, 
matching being done in this case between said decoder 

30 and said card. 



SP 24283 HJJ 



10 



In a second embodiment, this reception equipment 
includes a decoder and the external security module is 
a removable security interface provided with a non- 
volatile memory that will cooperate firstly with said 
5 decoder and secondly with a plurality of conditional 
access control cards to manage access to said digital 
data, matching being done in this case between said 
decoder and said removable security interface. 

In a third embodiment, this reception equipment 
10 includes a decoder provided with a removable security 
interface with a non-volatile memory and that will 
cooperate firstly with said decoder and secondly with a 
plurality of conditional access control cards and 
matching is done between said removable security 
15 interface and said access control cards 

The invention also relates to a decoder that can 
cooperate with a plurality of external security modules 
to manage access to audiovisual programs distributed by 
an operator, each external security module having a 
20 unique identifier and comprising at least one data 
processing algorithm. This decoder comprises: 

- a non-volatile memory that will memorise a list 
of external security modules, 

means of verifying if the identifier of an 
25 external security module connected to said decoder is 
present in the list memorised in said non-volatile 
memory . 

In a first variant, said external security modules 
are access control cards in which information about 
30 access rights of a subscriber to digital data 
distributed by an operator are memorised. 
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In a second variant, said external security 
modules are removable security interfaces comprising a 
non-volatile memory and designed to cooperate firstly 
with the decoder and secondly with a plurality of 
5 conditional access control cards to manage access to 
digital data distributed by an operator. 

The invention also relates to a removable security 
interface designed to cooperate firstly with a 
reception equipment and secondly with a plurality of 
10 conditional access control cards, to manage access to 
digital data distributed by an operator, each card 
having a unique identifier and containing information 
about access rights of a subscriber to said digital 
data . 

15 This interface comprises: 

a non-volatile memory that will be used to 
memorise a list of subscriber cards, 

- means of verifying if the identifier of a card 
associated with said interface is present in the list 
20 memorised in said non-volatile memory. 

In a first example embodiment, the removable 
interface is a PCMCIA (Personal Computer Memory Card 
International Association) card including a digital 
data descrambling software. 
2 5 In a second example embodiment, the removable 

interface is a software that can be executed either in 
the reception equipment or in an access control card. 

The process is controlled by a computer program 
executable on N reception equipment that can be matched 
30 with M external security modules each with a unique 
identifier and in which information about access rights 
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of a subscriber to digital data distributed by an 
operator are stored, this program comprises 
instructions for memorising a list of identifiers of 
part or all of N reception equipment in each external 
5 security module, and instructions to memorise a list of 
identifiers of part or all of the M external security 
modules in each reception equipment, instructions to 
control the identifier of an external security module 
connected to a reception equipment and the identifier 

10 of said reception equipment, and instructions to 
prevent access to said data if the identifier .of the 
external security module connected to the reception 
equipment is not present in the list of identifiers 
previously memorised in this reception equipment or if 

15 the identifier of said reception equipment is not 
present in the list of identifiers previously memorised 
in said external security module. 

Brief description of the drawings ' 
20 Other characteristics and advantages of the 

invention will become clear from the following 
description given as a non-limitative example with 
reference to the appended figures in which: 

- figure 1 shows a first system architecture for 
25 use of matching according to the invention, 

- figure 2 shows a second system architecture for 
use of matching according to the invention, 

- figure 3 shows a third system architecture for 
use of matching according to the invention, 
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figure 4 shows the structure of EMM_de coder 
messages for configuration and use of matching 
functions according to the invention, 

figure 5 shows the structure of EMM_card 
5 messages for configuration of matching functions 
according to the invention, 

- figure 6 is a functional diagram schematically 
showing the states of the matching function onboard a 
reception equipment , 
10 - figure 7 shows a flowchart illustrating a 

particular embodiment of use of matching according to 
the invention. 

Detailed description of particular embodiments 

15 The invention will now be described within the 

framework of an application in which an operator 
broadcasting audiovisual programs uses the method 
according to the invention to limit use of his 
reception equipment to his own subscribers. 

20 The method may be used in three distinct 

architectures shown in figures 1, 2 and 3 respectively. 
Identical elements in these three architectures are 
denoted by identical references. 

Management of matching is done from a commercial 

25 platform 1 controlled by the operator and communicating 
with reception equipment installed at the subscriber. 

In the first architecture shown in figure 1, the 
reception equipment includes a decoder 2 in which an 
access control software 4 is installed, and the 

30 external security module is an access control card 6 
containing information about access rights of a 
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subscriber to broadcast audiovisual programs. In this 
case, matching is done between the decoder 2 and the 
card 6. 

In the second architecture shown in figure 2, the 
5 reception equipment includes a decoder 2 not dedicated 
to access control, and the external security module is 
a removable security interface 8 provided with a non- 
volatile memory and in which the access control 
software 4 is installed. This interface 8 cooperates 

10 firstly with said decoder 2, and secondly with a card 6 
among a plurality of conditional access control cards, 
to manage access to said audiovisual programs. 

In this architecture, matching is done between 
said removal security interface 8 and said access 

15 control card 6. 

In the third architecture shown in figure 3, the 
reception equipment includes a decoder 2 in which an 
access control software 4 is installed, and which is 
connected to a removable security interface 8 with a 

20 non-volatile memory designed to cooperate firstly with 
said decoder 2, and secondly with a card 6 among a 
plurality of conditional access control cards. 

In this case, matching is done between the decoder 
2 and the removable security interface 8 . 

25 The configuration and use of matching by the 

operator is the result of commands sent by the 
commercial management platform 1 installed at the 
operator . 

The following description relates to use of the 
30 invention in the case of matching of N dedicated 



decoders 2 with M cards 6. The steps used are 
applicable to the three architectures described above. 

All matching processing is inactive when N 
decoders 2 leave the factory, and also after access 
control software 4 has been downloaded into each 
decoder 2. In particular: 

- no card identifier is memorised in the decoders 

2, 

- check of card identifiers 6 by the decoders 2 is 
not active, 

- check by decoders 2 that the presence of their 
own identifier in cards 6 is not active. 

Similarly, when the M cards 6 leave the factory, 
there is no decoder identifier 2 memorised in the cards 
6. 

Matching can then be configured and used in the N 
decoders 2 and in the M cards 6 by a query from the 
operator through the management platform 1 that sends: 

- EMM_decoder messages dedicated to matching, to 
the N decoders 2. 

- EMM_card messages dedicated to matching, to the 
M cards 6. These EMM_card messages are sent to the 
cards 6 directly or are integrated into EMM_decoder 
messages . 

EMM_decoder messages perform the following tasks: 

- activate the matching function in the N decoders 
2. In this case, each decoder verifies if the 
identifier of a card 6 inserted in the decoder card 
reader forms part of the identifiers that it memorised 
and that the identifier of this decoder 2 forms part of 
the identifiers of decoders memorised in this card 6. 
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If this is not the case, a disturbance is applied in 
the access to data. 

deactivate the matching function in the N 
decoders 2. In this case, each decoder 2 does not check 
5 its identifier or the identifier of the card. 

load the list of M identifiers of cards 6 
matched to the N decoders 2, into these decoders. 

- erase identifiers of cards 6 already memorised 
in the N decoders 2. 

10 EMM_card messages: 

- load the list of N identifiers of decoders 2 
matched to these cards, in the M cards 6. 

erase the identifiers of decoders 2 already 
memorised in the M cards 6. 

15 

Addressing of EMM messages 

EMM messages used for configuration and use of 
functions related to matching according to the method 
according to the invention are sent in an EMM channel 
20 of a digital multiplex as defined by the MPEG2/System 
standard and DVB/ETSI standards. 

This channel can broadcast EMMs referencing a card 
address so that they can be addressed directly to: 

- a particular card, 

25 - cards in a particular group, 

- all cards, 

This channel can also broadcast EMMs referencing a 
decoder address so that they can be addressed directly 
to : 

30 - a particular decoder, 

- a particular group of decoders, 
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- all decoders, 

Messages intended for a particular card or for a 
particular decoder are EMM-U messages with the 
following structure : 
5 EMM-U_section ( ) { 

table_id = 0x88 8 bits 

section_syntax_indicator =0 1 bit 

DVB_reserved 1 bit 

ISO_reserved 2 bits 

10 EMM-U_section_length 12 bits 

unique_address_f ield 40 bits 

for (i=0; i<N; i++) { 

EMM_data_byte 8 bits 

} 

15 } 

The unique_address_f ield parameter is the unique 
address of a card in a card EMM-U or the unique address 
of a decoder in a decoder EMM-U. 

Messages intended for cards in a particular group 
20 of cards or decoders in a particular group of decoders 
are EMM-S messages with the following structure: 

EMM-S_section ( ) { 

table_id = 0x8E 8 bits 

section_syntax_indicator =0 1 bit 

25 DVB_reserved 1 bit 

ISO_reserved 2 bits 

EMM-S_section_length 12 bits 

shared_address_f ield 24 bits 

reserved 6 bits 

30 data format 1 bit 
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ADF_scrambling_f lag 
for (i=0; i<N; i++) { 

EMM_data_byte 



1 bit 



8 bits 



The shared_address_f ield parameter is the address 
of the group of cards in a card EMM-S or the address of 
the group of decoders in a decoder EMM-S . A decoder in 
a group or a card in a group is concerned by the 
message if it is also explicitly designated in an ADF 
field contained in EMM_data_byte and that can be 
encrypted using the ADF_scrambling_f lag information. 

Messages intended for all cards or all decoders 
are EMM-G messages with the following structure: 

EMM-G_section ( ) { 

table_id = 0x8A ou 0x8B 8 bits 

section_syntax_indicator =0 1 bit 

DVB_reserved 1 bit 

ISO__reserved 2 bits 

EMM-G_section_length 12 bits 

for (i=0; i<N; i++) { 



} 

Content of decoder EMM messages 

Figure 4 diagrammatically shows the content of 
EMM_data_byte data in a matching EMM_decoder message. 
This content depends on the function to be executed by 
a decoder 2 for configuration or use of matching. 

EMM_data_byte data include the following 
functional parameters : 



EMM_data_byte 



8 bits 
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- ADF 20: address complement of a decoder in a 
group of decoders; this parameter is useful for 
addressing by group, otherwise it can be omitted; it 
can be encrypted. 

5 - SOID 22: identification of matching message 

according to the invention, among other types of 
messages . 

- 0P1D/NID 24: identification of the group of 
decoders and the operator's signal. 

10 - TIME 26: time dating data for sending the 

message; this parameter is used to avoid the need to 
replay the message by the same decoder 

- CRYPTO 28: identification of cryptographic 
protection functions applied to FUNCTIONS parameters 

15 32; FUNCTIONS parameters can be encrypted and protected 
by a cryptographic redundancy 30. 

FUNCTIONS 32: all parameters describing the 
configuration and use of matching. 

STBID 34: unique address of the decoder 
20 concerned by the message. This parameter is present in 
a decoder EMM-U, otherwise it can be omitted. 

The above functional parameters are freely 
organised in the EMM_data_byte data of an EMM_decoder 
message. One preferred implementation is the 
25 combination of these parameters by a T L V (Type Length 
Value) structure. 
Content of card EMM messages 

Figure 5 diagrammatically shows the content of 
EMM_data__byte data in a matching EMM_Card message. This 
30 content is used to write, modify or erase a list of 
terminal identifiers . 
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EMM_data_byte data include the following 
functional parameters : 

- SOID 40: operator identification. 

- ADF 42: address complement of a card in a group 
5 of cards; this parameter is useful when addressing by 

group, otherwise it can be omitted; it can be 
encrypted. 

CRYPTO 44: identification of cryptographic 
protection functions applied to the LDA parameter 48 
10 and to other parameters 50; parameters 48 and 50 can be 
encrypted and protected by cryptographic redundancy 46. 

LDA 48 (List of authorised decoders) : this 
parameter contains the list of decoder identifiers with 
which the card can operate. 
15 EMM_data_byte data can also contain other 

parameters 50 concerning functions of the card other 
than matching. 

Parameters in the EMM_data_byte data are freely 
organised in these data of a card EMM message. One 
20 preferred implementation is the combination of these 
parameters by a T L V (Type Length Value) structure. 

Configuration and use of matching 

The complete set of all FUNCTIONS parameters 32 in 
25 an EMM_decoder describes the configuration and use of 
matching according to the invention. This set of 
parameters is an arbitrary combination' of the following 
functional parameters : 

- MODE: this parameter activates, deactivates or 
30 reinitialises the matching solution according to the 

invention. After deactivation, the decoder does not 
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check the identifier of a card inserted, but keeps the 
list of memorised identifiers. After reinitialisation, 
the decoder does not check the identifier of an 
inserted card and no longer has any memorised card 
5 identifiers: 

- LCA (List of authorised cards) : this parameter 
loads the list of card identifiers with which it can 
operate, in a decoder 

Disturbance: this parameter describes the 
10 disturbance to be applied by the decoder in the data 
access in the case of a card not matched with the 
decoder : 

Date/Delay: this parameter characterises the 
matching activation or deactivation date or delay. 

15 The above functional parameters are freely 

organised in all FUNCTIONS parameters 32. One preferred 
implementation is the combination of these parameters 
by a T L V (Type Length Value) structure. 

Furthermore, in some types of service such as a 

20 form of matching a decoder with a card, an EMM_decoder 
can transport one or several EMM_cards. In this case, 
the EMM_card(s) is (are) included in the set of 
FUNCTIONS parameters 32 in a manner that can be clearly 
identified by the decoder that can extract and provide 

25 the EMM_card ( s ) to the inserted card. One preferred 
implementation to include EMM_card in the set of 
FUNCTIONS parameters 32 of an EMM_decoder is to use a 
particular T L V structure containing EMM_card(s) with 
all related addressing data. 

30 Another use of EMM_card in an EMM_decoder is to 

memorise that this EMM_decoder has already been 
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processed by the decoder, in the card, so as to avoid a 
replay on another decoder so that this EMM can be 
processed once only by a single decoder; semantically, 
these data mean « Already processed » and are verified 
5 by the access control software 4 of the decoder 2 when 
it processes this EMM. One preferred embodiment of this 
anti-replay mechanism is to write these data in a FAC 
(Facilities Data Block) data block on the card. 

10 Operation 

Operation of matching according to the invention 
will now be described with reference to figures 6 and 
7. 

Figure 6 is a functional diagram diagrammat ically 
15 showing states of the matching function of the access 
control software 4 onboard a decoder 2. 

The matching function is in the inactive state 60 
when the access control software 4 has just been 
installed or downloaded 61, or when it has received a 
20 deactivate matching order 62 or reinitialise matching 
order 64 from the management platform 1. In this state, 
the access control software 4 will operate with a card 
6 inserted in the decoder 2 without verifying matching 
with this card. 

25 In order to activate matching between M decoders 2 

and N cards 6, the operator activates the following 
through the management platform 1: 

processing 70 to define the matching 
mode (= active) , and the applicable disturbance 
30 type in access to data if matching fails, 



processing 72 to define the LCA list to 
be loaded in these N decoders of identifiers of M 
authorised cards, 

processing 74 to define the LDA list to 
be loaded in these M cards of identifiers of N 
authorised decoders 

Depending on this information, the management 
platform 1 generates and sends (arrow 76) : 

• at least one EMNl_de coder message to load 
the LCA list of authorised cards 6 into the 
non-volatile memory of the N decoders 2. 

• at least one EMM__card message to load 
the LDA list of authorised decoders into the 
non-volatile memory of M cards 6 

• at least one EMM_de coder message to load 
configuration parameters into the non-volatile 
memory of the N decoders 2 . 

The matching function in a decoder 2 changes to 
the active state 78. 

During activation of the matching function in a 
decoder 2 with loading of the LCA list of authorised 
cards 6 and/or the LDA list of authorised decoders 2, 
the configuration parameters may be taken into account 
by a decoder 2 with a time delay defined by the 
Date/Delay parameter to guarantee effective loading of 
the LCA list of authorised cards 6 into a decoder 2 and 
the LDA list of authorised decoders 2 in a card 6. 

During reactivation of the matching function in a 
decoder 2, if the LCA list of authorised cards 6 and/or 
the LDA list of authorised decoders 2 does not have to 
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be changed, the corresponding EMMs are neither 
generated nor sent. 

The operator may deactivate (step 80) matching in 
a decoder 2, from the management platform 1 that 
5 generates and sends (arrow 82) an EMM message 
addressing the decoder (s) 2 concerned and containing a 
deactivation order without erasing the matching context 
62 or a RESET order of the matching context 64 . 

The matching function in a decoder 2 changes to 
10 the inactive state 60. 

Effective acceptance of the deactivation order by 
a decoder 2 may be delayed in time as defined by the 
Date/Delay parameter. 

Regardless of the state of a matching function, 
15 either inactive 60 or active 78, it may receive a list 
of authorised LCA cards 6 through the decoder EMM (step 
72) or a list of authorised LDA decoders 2 (step 74) 
from the management platform 1. 

Acceptance of one of the M cards 6 by the matching 
20 function of one of N decoders 2 is described in the 
flowchart in figure 7. 

When a card 6 is inserted (step 100) into the 
decoder 2, the onboard access control software 4 in the 
decoder tests (step 102) if the matching function is in 
25 the active state 78. 

If the matching function in the decoder is in the 
inactive state 60, the decoder will operate with the 
inserted card (108). 

If the matching function in the decoder is in the 
30 active state 78, the access control software: 



• reads the identifier of the inserted 
card and verifies (step 104) if this identifier 
is in the list of authorised cards 6 memorised 
in the decoder 2 , 

• reads the list of authorised decoders in 
the inserted card and verifies (step 106) if 
the identifier of the decoder 2 is present in 
this list, 

The tests 104 and 106 may be executed in any 
order . 

If the results of these two identifier tests 104 
and 106 are positive, the access control software 4 
accepts to operate with the inserted card 6 (step 108) . 
Broadcast programs can then be accessed, provided that 
other access conditions attached to these programs are 
conform. 

If the result of at least one of the tests 104 and 
106 is not positive, the access control software 4 
refuses to operate with the inserted card 6 and applies 
(step 110) the disturbance in data access as defined by 
the operator. Such a disturbance may consist of 
blocking access to broadcast programs. It may be 
accompanied by a message prompting the subscriber to 
insert another card 6 in the decoder 2, being displayed 
on the screen of the terminal with which the decoder is 
associated . 

When the card 2 is extracted (step 112) from the 
decoder 2, the access control software starts waiting 
for a card to be inserted (step 100) 
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The disturbance applied in step 110 in access to 
data in the case of a matching fault may be of 
different natures, such as: 

- Stop audio and video on encrypted channels 
5 (obtained by not submitting ECMs to the card to 

calculate CWs) ; 

- Stop audio and video on plain text and analogue 
channels (obtained by a message to the middleware) ; 

- Send a message to the terminal middleware 
10 (example: Open TV message) . 

This disturbance may also be used to block stolen 
decoders . 

In the case described in figure 2 in which the 
access control software 4 is executed in the removable 
15 interface 8 connected to a decoder 2, the logic 
controller described in figure 4 and the flowchart 
described in figure 5 are applicable directly to the 
onboard access control software 4 in this removable 
interface 8 . 



